Cybersecurity package: towards a true European governance of cybersecurity
The European Commission adopted on 13 September a series of measures to increase the cyber protection of European industries and citizens including a strengthened EU cybersecurity agency. FERMA has previously raised its concerns about the lack of focus on risk governance in cyber security and welcomes the current initiative which is a strong package.
The Commission is now reaching the middle of its 2014-2019 mandate. These plans are part of a mid-term review of the Digital Single Market strategy (DSM), which was first delivered in May 2015. Among the key ideas are
A Cybersecurity Act to create an EU Cybersecurity Agency to assist Member States in dealing with cyber-attacks, and
A European certification scheme to ensure that products and services in the digital world are safe to use.
A new directive to combat cyber fraud and counterfeiting of non-cash methods of payment.
EU Cybersecurity Agency
The Commission has proposed a Regulation to reinforce the mandate and roughly double the resources of the EU Agency for Network and Information Security (ENISA) and turn it into an "EU Cybersecurity Agency”.
The mandate will be extended to assist Member States in preventing and responding to sudden and simultaneous cyber-attacks like Wannacry or Petya. To fight large scale cross-border attacks, ENISA will also be empowered to organise yearly pan-European cybersecurity exercises.
To this end, the Commission has published a recommendation for a blueprint for and EU coordinated response to large scale cybersecurity incidents and crises. The processes primarily involve EU and member state institutions, with a deepening relationship with NATO on cyber defence, but the recommendation also calls for the involvement of private sector entities as appropriate.
EU-wide certification framework
The Cybersecurity Act will mandate ENISA to establish a new European cybersecurity certification framework similar to food labels but for online goods and services. Cybersecurity certificates would be recognised across Member States, therefore cutting down on costs and administrative burden for companies.
Eventually, all existing certificates issued under national cybersecurity certification schemes should gradually disappear when not covered by the future European cybersecurity certification scheme. The pending question will be if cybersecurity certificates should be binding or not.
Non-cash payment fraud prevention
The Commission is proposing a new Directive to combat the fraud and counterfeiting of non-cash means of payment. It will aim to boost Member States’ capacity to prosecute and sanction cyber criminals, including criminal justice cooperation and harmonised penalties across the EU.
As shown in the latest Europol’s 2017 Internet Organised Crime Threat Assessment (IOCTA), cybercrime and especially payment frauds are becoming increasingly sophisticated and cross border.